OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2018.02 2018-01-17T13:07:41+00:00 2018-01-17T13:07:41+00:00 Peter Korsgaard peter@korsgaard.com 2018-01-17T07:42:43+00:00 urn:sha1:d72a2b9247d885c4fc5c2ca6066d3ae6a27a8653 Fixes the following security issue: CVE-2017-3145: Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named. For more details, see the advisory: https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-09-22T21:28:10+00:00 Peter Korsgaard peter@korsgaard.com 2017-09-13T13:01:15+00:00 urn:sha1:771bb2d58d945ebd2909dc8ca5cccf30f189c581 To avoid issues with firewalls blocking ftp. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-09-22T21:28:06+00:00 Peter Korsgaard peter@korsgaard.com 2017-09-13T13:01:14+00:00 urn:sha1:f3e3b36159fa077400e7151b3e3d03082a897b2e Adds support for the new ICANN DNSSEC root key for the upcoming KSK rollover (Oct 11): https://www.icann.org/resources/pages/ksk-rollover For more details, see the release notes: https://kb.isc.org/article/AA-01522 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-09-10T15:16:15+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2017-09-10T15:16:15+00:00 urn:sha1:6b268180c142f5e3d7d56f16e6b2025173609768 This reverts commit 7c0ecd4d7526dedce85a49172b031f45cde19a4b, as it is in fact a duplicate of commit bb95fef1e0bec4ebc0584001f337438b17c4744d. Reported-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-09-09T20:25:02+00:00 Robin Jarry robin.jarry@6wind.com 2017-09-08T14:02:49+00:00 urn:sha1:7c0ecd4d7526dedce85a49172b031f45cde19a4b Bind autoconf scripts look for lmdb.h in /usr/include (even when cross-compiling). When liblmdb-dev is installed, this causes the following error: ... checking for lmdb library... yes checking for library containing mdb_env_create... no configure: error: found lmdb include but not library. Fix this by disabling explicitly lmdb support. Signed-off-by: Robin Jarry <robin.jarry@6wind.com> Signed-off-by: Julien Floret <julien.floret@6wind.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-08-08T18:45:07+00:00 Peter Seiderer ps.report@gmx.net 2017-08-08T16:57:58+00:00 urn:sha1:bb95fef1e0bec4ebc0584001f337438b17c4744d Fix configure failure in case lmdb devel files are present on the host by adding --without-lmdb option (reported [1] and fix tested [2],[3] by grunpferd@netscape.net). Fixes: checking for lmdb library... yes checking for library containing mdb_env_create... no configure: error: found lmdb include but not library. [1] http://lists.busybox.net/pipermail/buildroot/2017-August/199945.html [2] http://lists.busybox.net/pipermail/buildroot/2017-August/199963.html [3] http://lists.busybox.net/pipermail/buildroot/2017-August/199964.html Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> 2017-07-24T16:33:42+00:00 Peter Korsgaard peter@korsgaard.com 2017-07-24T09:16:10+00:00 urn:sha1:c237f1d1c5447af3b967304d7929cf115ea1aa5d BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2 security bump: https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-07-02T21:48:41+00:00 Peter Korsgaard peter@korsgaard.com 2017-07-02T15:01:48+00:00 urn:sha1:a0c53973f87928ae51ca58926951c386c74fc023 Fixes the following security issues: CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: * providing an AXFR of a zone to an unauthorized recipient * accepting bogus NOTIFY packets https://kb.isc.org/article/AA-01504/74/CVE-2017-3142 CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic updates An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. https://kb.isc.org/article/AA-01503/74/CVE-2017-3143 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-06-20T21:14:16+00:00 Peter Korsgaard peter@korsgaard.com 2017-06-20T20:55:34+00:00 urn:sha1:e14d89d5e08c47e4e93074cd85cb412af9eafa5e Fixes the following security issues: CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules. https://kb.isc.org/article/AA-01495/74/CVE-2017-3140 CVE-2017-3141 is a Windows privilege escalation vector affecting 9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The BIND Windows installer failed to properly quote the service paths, possibly allowing a local user to achieve privilege escalation, if allowed by file system permissions. https://kb.isc.org/article/AA-01496/74/CVE-2017-3141 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-20T19:47:07+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-04-20T12:32:19+00:00 urn:sha1:b9e147dd5e2098ed4e3a772ca3ababb624e4aae6 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>